Wed Jul 17, 2013 6:31 pm
In your case, you added the ethernet interfaces to the bridge, and then built VLANs on those ethernet interfaces. The router doesnt know anything about those vlans. For the router, the L2 vlan traffic is just like any other L2 traffic, and gets bridged.
Then you applied "use-ip-firewall", which deals with L3 packets, and at the end, you probably have a drop all rule.
Since the vlan packets dont have any L3 headers, they are getting dropped, and there is really no good way to allow them to pass through firewall.
My advice is to tag all the traffic to the router, and then add individual VLAN ports to 2 separate bridges, one bridge for each vlan. Then firewall will see all the L3 traffic properly, and you can simply allow the traffic on one of the bridges in firewall.